OVH Hardware, support and pricing is GREAT! Buuuuutttttt...
Their firewall situation is not. Guess what, if you use the supplied firewall, any server from any other customer in the local NOC that your server is in, can connect to your server. They seem to be all "safely" behind the OVH firewall product.
You have to protect each server individually with its own in-machine firewall.
I don't want to automatically trust all other OVH customers.
At first I thought I was doing something wrong (more than a decade of setting up firewalls). But I did put in a support ticket and they confirmed this.
Maybe I'm wrong, maybe something I did not understand, but damn... If I'm not.... :-(
Ouch. That probably means there's a metric shit tonne of VMs running Docker with open ports in their data centres.
Saying that because (by default) Docker screws with firewall rules on the VM when it starts up, to allow other hosts to communicate with the containers.
In other hosting environments, the workaround is to apply firewall rules to your VMs using the hosting infrastructure capabilities. eg separate to the iptables (etc) rules on each host
Yes. There are two different products: VAC, which is for DDoS protection, and general SDN firewall/security groups which is only OVHcloud (not dedicated servers).
In the most general case, it seems other customers can actually send DDoS/volumetric traffic toward you from within OVH and it doesn't get picked up.
I had the worst experience from a vps/dedicated hosting provider with OVH few years back, long story short I had a dedicated server with software raid, after a month, one of the disks failed I gave them all the details SN of the disk at fault etc, but apparently the removed the good disk and I lost the server, I asked them to put it back and they told me they had destroyed it, luckily I had backup. Lastly I asked for a refund they didn’t give anything back.
I moved to hetzner immediately, and I haven’t had such issues till today.
I know that you can’t expect much from cheap providers but OVH is extremely unprofessional in my experience.
Amazon did about the same exact thing to me a while back, so you're not alone and it's not just cheap hosts that make that mistake as we spent 10k/mo on support alone. (AWS had EBS silently fail which is awful enough but then restored data from the 'bad leg' of the system and lost all. To this day I've never trusted them again - maybe I should get over it but, would you?
Notice how there’s no info on IPv6. That’s because OVH has horrible support for IPv6 and requires non standard routes to be set because they don’t support router advertisements. They also rely on ND packets and not static routing for IPv6, and also block outgoing IPv6 packets if an incoming IPv6 address has not been established. I would avoid OVH.
I miss OVH's old control panel. It was so nerdy and to-the-point, unlike their newer modern interface that heats up my CPU with boatloads of javascript, and adopts the 'flat' design pattern that has now permeated every site in existence.
OVH is an absolutely shitty company. I've seen a tremendous uptick of spam from OVH that they're happy to simply ignore. The same kind of spam using the same content, the same registration patterns and the same template have existed on their networks for many months in spite of constant abuse complaints.
I can't imagine why anyone would want to run anything on the same networks that OVH uses to host spammers and scammers.
And good luck talking to an actual human at OVH if something goes wrong.
As of November 2019, OVH is listed by The Spamhaus Project as the world's
second worst Internet service provider for the proliferation of unsolicited bulk E-Mail
I can't speak to reports but I can testify about server logs. OVH IPs have been a top source of spam and attacks against my (US) (<10) servers for most of a decade. I'd add Digital Ocean to round out the top 2 list.
If a firewall goes offline for 60 seconds, I will get hammered from OVH/DO networks. Not exclusively but they're the standout kings. Just think Psychz networks, but scaled up.
I know OVH's size plays into that. But size here is less about the number of net blocks and more about their bureaucratic disinterest in abuse (common to larger hosts, inc hosts I like).
There are comparable sized hosts in the US (AWS, Azure) but when it comes to crapty traffic, OVH makes them look small and insignificant[1].
Unlike moderation at scale, known attacks are often qualifiable, detectable patterns. Can we please care enough to notice & maybe eventually, one day interrupt them?
[1]disclaimer: Spam from Google/Azure & malicious SMTP traffic from AWS totally dominated the first ½ of this year. IDK why. It's since died off - which differentiates them from OVH/DO.
Their firewall situation is not. Guess what, if you use the supplied firewall, any server from any other customer in the local NOC that your server is in, can connect to your server. They seem to be all "safely" behind the OVH firewall product.
You have to protect each server individually with its own in-machine firewall.
I don't want to automatically trust all other OVH customers.
At first I thought I was doing something wrong (more than a decade of setting up firewalls). But I did put in a support ticket and they confirmed this.
Maybe I'm wrong, maybe something I did not understand, but damn... If I'm not.... :-(